1
@node Syslog, Mathematics, Low-Level Terminal Interface, Top
2
@c %MENU% System logging and messaging
6
This chapter describes facilities for issuing and logging messages of
7
system administration interest. This chapter has nothing to do with
8
programs issuing messages to their own users or keeping private logs
9
(One would typically do that with the facilities described in
10
@ref{I/O on Streams}).
12
Most systems have a facility called ``Syslog'' that allows programs to
13
submit messages of interest to system administrators and can be
14
configured to pass these messages on in various ways, such as printing
15
on the console, mailing to a particular person, or recording in a log
16
file for future reference.
18
A program uses the facilities in this chapter to submit such messages.
21
* Overview of Syslog:: Overview of a system's Syslog facility
22
* Submitting Syslog Messages:: Functions to submit messages to Syslog
25
@node Overview of Syslog
26
@section Overview of Syslog
28
System administrators have to deal with lots of different kinds of
29
messages from a plethora of subsystems within each system, and usually
30
lots of systems as well. For example, an FTP server might report every
31
connection it gets. The kernel might report hardware failures on a disk
32
drive. A DNS server might report usage statistics at regular intervals.
34
Some of these messages need to be brought to a system administrator's
35
attention immediately. And it may not be just any system administrator
36
particular kind of message. Other messages just need to be recorded for
37
future reference if there is a problem. Still others may need to have
38
information extracted from them by an automated process that generates
41
To deal with these messages, most Unix systems have a facility called
42
"Syslog." It is generally based on a daemon called ``Syslogd''
43
Syslogd listens for messages on a Unix domain socket named
44
@file{/dev/log}. Based on classification information in the messages
45
and its configuration file (usually @file{/etc/syslog.conf}), Syslogd
46
routes them in various ways. Some of the popular routings are:
50
Write to the system console
52
Mail to a specific user
56
Pass to another daemon
61
Syslogd can also handle messages from other systems. It listens on the
62
@code{syslog} UDP port as well as the local socket for messages.
64
Syslog can handle messages from the kernel itself. But the kernel
65
doesn't write to @file{/dev/log}; rather, another daemon (sometimes
66
called ``Klogd'') extracts messages from the kernel and passes them on to
67
Syslog as any other process would (and it properly identifies them as
68
messages from the kernel).
70
Syslog can even handle messages that the kernel issued before Syslogd or
71
Klogd was running. A Linux kernel, for example, stores startup messages
72
in a kernel message ring and they are normally still there when Klogd
73
later starts up. Assuming Syslogd is running by the time Klogd starts,
74
Klogd then passes everything in the message ring to it.
76
In order to classify messages for disposition, Syslog requires any process
77
that submits a message to it to provide two pieces of classification
82
This identifies who submitted the message. There are a small number of
83
facilities defined. The kernel, the mail subsystem, and an FTP server
84
are examples of recognized facilities. For the complete list,
85
@xref{syslog; vsyslog}. Keep in mind that these are
86
essentially arbitrary classifications. "Mail subsystem" doesn't have any
87
more meaning than the system administrator gives to it.
90
This tells how important the content of the message is. Examples of
91
defined priority values are: debug, informational, warning, critical.
92
For the complete list, see @ref{syslog; vsyslog}. Except for
93
the fact that the priorities have a defined order, the meaning of each
94
of these priorities is entirely determined by the system administrator.
98
A ``facility/priority'' is a number that indicates both the facility
101
@strong{Warning:} This terminology is not universal. Some people use
102
``level'' to refer to the priority and ``priority'' to refer to the
103
combination of facility and priority. A Linux kernel has a concept of a
104
message ``level,'' which corresponds both to a Syslog priority and to a
105
Syslog facility/priority (It can be both because the facility code for
106
the kernel is zero, and that makes priority and facility/priority the
109
The GNU C library provides functions to submit messages to Syslog. They
110
do it by writing to the @file{/dev/log} socket. @xref{Submitting Syslog
113
The GNU C library functions only work to submit messages to the Syslog
114
facility on the same system. To submit a message to the Syslog facility
115
on another system, use the socket I/O functions to write a UDP datagram
116
to the @code{syslog} UDP port on that system. @xref{Sockets}.
119
@node Submitting Syslog Messages
120
@section Submitting Syslog Messages
122
The GNU C library provides functions to submit messages to the Syslog
126
* openlog:: Open connection to Syslog
127
* syslog; vsyslog:: Submit message to Syslog
128
* closelog:: Close connection to Syslog
129
* setlogmask:: Cause certain messages to be ignored
130
* Syslog Example:: Example of all of the above
133
These functions only work to submit messages to the Syslog facility on
134
the same system. To submit a message to the Syslog facility on another
135
system, use the socket I/O functions to write a UDP datagram to the
136
@code{syslog} UDP port on that system. @xref{Sockets}.
143
The symbols referred to in this section are declared in the file
148
@deftypefun void openlog (const char *@var{ident}, int @var{option}, int @var{facility})
150
@code{openlog} opens or reopens a connection to Syslog in preparation
151
for submitting messages.
153
@var{ident} is an arbitrary identification string which future
154
@code{syslog} invocations will prefix to each message. This is intended
155
to identify the source of the message, and people conventionally set it
156
to the name of the program that will submit the messages.
158
If @var{ident} is NULL, or if @code{openlog} is not called, the default
159
identification string used in Syslog messages will be the program name,
162
Please note that the string pointer @var{ident} will be retained
163
internally by the Syslog routines. You must not free the memory that
164
@var{ident} points to. It is also dangerous to pass a reference to an
165
automatic variable since leaving the scope would mean ending the
166
lifetime of the variable. If you want to change the @var{ident} string,
167
you must call @code{openlog} again; overwriting the string pointed to by
168
@var{ident} is not thread-safe.
170
You can cause the Syslog routines to drop the reference to @var{ident} and
171
go back to the default string (the program name taken from argv[0]), by
172
calling @code{closelog}: @xref{closelog}.
174
In particular, if you are writing code for a shared library that might get
175
loaded and then unloaded (e.g. a PAM module), and you use @code{openlog},
176
you must call @code{closelog} before any point where your library might
177
get unloaded, as in this example:
183
shared_library_function (void)
185
openlog ("mylibrary", option, priority);
187
syslog (LOG_INFO, "shared library has been invoked");
193
Without the call to @code{closelog}, future invocations of @code{syslog}
194
by the program using the shared library may crash, if the library gets
195
unloaded and the memory containing the string @code{"mylibrary"} becomes
196
unmapped. This is a limitation of the BSD syslog interface.
198
@code{openlog} may or may not open the @file{/dev/log} socket, depending
199
on @var{option}. If it does, it tries to open it and connect it as a
200
stream socket. If that doesn't work, it tries to open it and connect it
201
as a datagram socket. The socket has the ``Close on Exec'' attribute,
202
so the kernel will close it if the process performs an exec.
204
You don't have to use @code{openlog}. If you call @code{syslog} without
205
having called @code{openlog}, @code{syslog} just opens the connection
206
implicitly and uses defaults for the information in @var{ident} and
209
@var{options} is a bit string, with the bits as defined by the following
214
If on, @code{openlog} sets up the connection so that any @code{syslog}
215
on this connection writes its message to the calling process' Standard
216
Error stream in addition to submitting it to Syslog. If off, @code{syslog}
217
does not write the message to Standard Error.
220
If on, @code{openlog} sets up the connection so that a @code{syslog} on
221
this connection that fails to submit a message to Syslog writes the
222
message instead to system console. If off, @code{syslog} does not write
223
to the system console (but of course Syslog may write messages it
224
receives to the console).
227
When on, @code{openlog} sets up the connection so that a @code{syslog}
228
on this connection inserts the calling process' Process ID (PID) into
229
the message. When off, @code{openlog} does not insert the PID.
232
When on, @code{openlog} opens and connects the @file{/dev/log} socket.
233
When off, a future @code{syslog} call must open and connect the socket.
235
@strong{Portability note:} In early systems, the sense of this bit was
236
exactly the opposite.
239
This bit does nothing. It exists for backward compatibility.
243
If any other bit in @var{options} is on, the result is undefined.
245
@var{facility} is the default facility code for this connection. A
246
@code{syslog} on this connection that specifies default facility causes
247
this facility to be associated with the message. See @code{syslog} for
248
possible values. A value of zero means the default default, which is
251
If a Syslog connection is already open when you call @code{openlog},
252
@code{openlog} ``reopens'' the connection. Reopening is like opening
253
except that if you specify zero for the default facility code, the
254
default facility code simply remains unchanged and if you specify
255
LOG_NDELAY and the socket is already open and connected, @code{openlog}
256
just leaves it that way.
258
@c There is a bug in closelog() (glibc 2.1.3) wherein it does not reset the
259
@c default log facility to LOG_USER, which means the default default log
260
@c facility could be whatever the default log facility was for a previous
261
@c Syslog connection. I have documented what the function should be rather
262
@c than what it is because I think if anyone ever gets concerned, the code
268
@node syslog; vsyslog
269
@subsection syslog, vsyslog
271
The symbols referred to in this section are declared in the file
274
@c syslog() is implemented as a call to vsyslog().
277
@deftypefun void syslog (int @var{facility_priority}, char *@var{format}, ...)
279
@code{syslog} submits a message to the Syslog facility. It does this by
280
writing to the Unix domain socket @code{/dev/log}.
282
@code{syslog} submits the message with the facility and priority indicated
283
by @var{facility_priority}. The macro @code{LOG_MAKEPRI} generates a
284
facility/priority from a facility and a priority, as in the following
288
LOG_MAKEPRI(LOG_USER, LOG_WARNING)
291
The possible values for the facility code are (macros):
293
@c Internally, there is also LOG_KERN, but LOG_KERN == 0, which means
294
@c if you try to use it here, just selects default.
298
A miscellaneous user process
302
A miscellaneous system daemon
304
Security (authorization)
310
Network news (e.g. Usenet)
316
Private security (authorization)
337
Results are undefined if the facility code is anything else.
339
@strong{NB:} @code{syslog} recognizes one other facility code: that of
340
the kernel. But you can't specify that facility code with these
341
functions. If you try, it looks the same to @code{syslog} as if you are
342
requesting the default facility. But you wouldn't want to anyway,
343
because any program that uses the GNU C library is not the kernel.
345
You can use just a priority code as @var{facility_priority}. In that
346
case, @code{syslog} assumes the default facility established when the
347
Syslog connection was opened. @xref{Syslog Example}.
349
The possible values for the priority code are (macros):
353
The message says the system is unusable.
355
Action on the message must be taken immediately.
357
The message states a critical condition.
359
The message describes an error.
361
The message is a warning.
363
The message describes a normal but important event.
365
The message is purely informational.
367
The message is only for debugging purposes.
370
Results are undefined if the priority code is anything else.
372
If the process does not presently have a Syslog connection open (i.e.,
373
it did not call @code{openlog}), @code{syslog} implicitly opens the
374
connection the same as @code{openlog} would, with the following defaults
375
for information that would otherwise be included in an @code{openlog}
376
call: The default identification string is the program name. The
377
default default facility is @code{LOG_USER}. The default for all the
378
connection options in @var{options} is as if those bits were off.
379
@code{syslog} leaves the Syslog connection open.
381
If the @file{dev/log} socket is not open and connected, @code{syslog}
382
opens and connects it, the same as @code{openlog} with the
383
@code{LOG_NDELAY} option would.
385
@code{syslog} leaves @file{/dev/log} open and connected unless its attempt
386
to send the message failed, in which case @code{syslog} closes it (with the
387
hope that a future implicit open will restore the Syslog connection to a
395
syslog (LOG_MAKEPRI(LOG_LOCAL1, LOG_ERROR),
396
"Unable to make network connection to %s. Error=%m", host);
405
@deftypefun void vsyslog (int @var{facility_priority}, char *@var{format}, va_list arglist)
407
This is functionally identical to @code{syslog}, with the BSD style variable
416
The symbols referred to in this section are declared in the file
421
@deftypefun void closelog (void)
423
@code{closelog} closes the current Syslog connection, if there is one.
424
This includes closing the @file{dev/log} socket, if it is open.
425
@code{closelog} also sets the identification string for Syslog messages
426
back to the default, if @code{openlog} was called with a non-NULL argument
427
to @var{ident}. The default identification string is the program name
430
If you are writing shared library code that uses @code{openlog} to
431
generate custom syslog output, you should use @code{closelog} to drop the
432
GNU C library's internal reference to the @var{ident} pointer when you are
433
done. Please read the section on @code{openlog} for more information:
436
@code{closelog} does not flush any buffers. You do not have to call
437
@code{closelog} before re-opening a Syslog connection with @code{initlog}.
438
Syslog connections are automatically closed on exec or exit.
444
@subsection setlogmask
446
The symbols referred to in this section are declared in the file
451
@deftypefun int setlogmask (int @var{mask})
453
@code{setlogmask} sets a mask (the ``logmask'') that determines which
454
future @code{syslog} calls shall be ignored. If a program has not
455
called @code{setlogmask}, @code{syslog} doesn't ignore any calls. You
456
can use @code{setlogmask} to specify that messages of particular
457
priorities shall be ignored in the future.
459
A @code{setlogmask} call overrides any previous @code{setlogmask} call.
461
Note that the logmask exists entirely independently of opening and
462
closing of Syslog connections.
464
Setting the logmask has a similar effect to, but is not the same as,
465
configuring Syslog. The Syslog configuration may cause Syslog to
466
discard certain messages it receives, but the logmask causes certain
467
messages never to get submitted to Syslog in the first place.
469
@var{mask} is a bit string with one bit corresponding to each of the
470
possible message priorities. If the bit is on, @code{syslog} handles
471
messages of that priority normally. If it is off, @code{syslog}
472
discards messages of that priority. Use the message priority macros
473
described in @ref{syslog; vsyslog} and the @code{LOG_MASK} to construct
474
an appropriate @var{mask} value, as in this example:
477
LOG_MASK(LOG_EMERG) | LOG_MASK(LOG_ERROR)
483
~(LOG_MASK(LOG_INFO))
486
There is also a @code{LOG_UPTO} macro, which generates a mask with the bits
487
on for a certain priority and all priorities above it:
493
The unfortunate naming of the macro is due to the fact that internally,
494
higher numbers are used for lower message priorities.
500
@subsection Syslog Example
502
Here is an example of @code{openlog}, @code{syslog}, and @code{closelog}:
504
This example sets the logmask so that debug and informational messages
505
get discarded without ever reaching Syslog. So the second @code{syslog}
506
in the example does nothing.
511
setlogmask (LOG_UPTO (LOG_NOTICE));
513
openlog ("exampleprog", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_LOCAL1);
515
syslog (LOG_NOTICE, "Program started by User %d", getuid ());
516
syslog (LOG_INFO, "A tree falls in a forest");